Threat of the Week: The FBI’s Sept. 11 Alert

The alert distributed to its members by the California and Nevada Credit Union Leagues had to cause chills: “Take Reasonable Steps,' Bureau Says.”

The FBI's Cyber Division has issued a “private sector advisory” regarding a possible cyber-related threat to U.S.-based and foreign financial institution websites on or about Sept. 11, 2013.”

Exactly what does this mean for your credit union?

Is the threat in fact real – remembering that in May a threatened Anonymous blitzkrieg against financial institutions amounted to a big goose egg.

The California-Nevada Leagues said they had gotten the word from the California Department of Business Oversight, an agency that oversees financial services.

That department confirmed to this reporter that it was the source and it passed along exactly what it had distributed: “The FBI Cyber Division has issued a Private Sector Advisory regarding a possible cyber-related threat to United States-based and foreign financial institutions on or about September 11, 2013. Although previous iterations of this effort have had limited if any impact to the targeted entities, the FBI encourages the private sector to take reasonable steps to secure cyber infrastructure in light of possible threats.”

Know this: The FBI also confirmed to this reporter that it in fact had distributed an alert to financial institutions about a possible Sept. 11 attack. The Bureau offered no additional details.

That lack of specificity complicates striking a preparedness posture, said multiple experts.

A vice president for security at a very large credit union in fact shrugged off the warning: “My take on it this is very few would be so bold as to attack the US on the one day that would result in a swift and complete reprisal. Political enemies of the state, in my opinion, wouldn’t touch this with a 10-foot pole and the rest I don’t believe could muster the resources to make a major impact. Am I the crazy one?” He requested anonymity because he is not authorized to speak for his institution.

Others take the threat more seriously. CUNA, through Executive Vice President Paul Gentile, had this to say: "CUNA believes cyber-security threats will be an ongoing issue for credit unions and the entire financial sector. We urge credit unions to maintain a robust enterprise risk management program that includes policies and procedures for cyber-security attacks."

Exactly what form might the threat take? Most experts appear to believe that if in fact anything materializes it probably will come as a Distributed Denial of Service (DDoS) attack, although at least the very largest institutions have gotten highly skilled at deflecting DDoS.

But DDoS is not the only possible attack vector. Recently, a group calling itself the Syrian Electronic Army hacked into several large media websites – notably the Washington Post and CNN -- by going in through a vulnerability in online widgets provided by a third-party content company, Outbrain.

Exploiting that vulnerability, the hackers inserted redirects so that when some users clicked on Washington Post content, for instance, they found themselves at the Syrian Electronic Army website.

The takeaway from this is that credit unions have to assure themselves that not only is their site secure, so is any content provided by third parties.

But attacks may take still other forms. Tom Kellermann, vice president of cyber-security at Trend Micro, stressed in an interview that there has been a “tremendous” improvement in cyber capabilities in the Middle East, making it difficult to predict exactly how they might attack.

He also said that potential bad actors are known to have been doing substantial reconnaissance on the financial sector.

Kellermann’s warning: take the FBI threat seriously because there are indeed plenty of serious threats out there.